Bug 13353 - priorSecret not redacted in logs
Summary: priorSecret not redacted in logs
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-03-23 04:47 UTC by Aaron Haslett (dead mail address)
Modified: 2021-07-25 22:37 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Haslett (dead mail address) 2018-03-23 04:47:37 UTC

Comment 1 Aaron Haslett (dead mail address) 2018-03-23 04:48:42 UTC
In LDB, some values are redacted during debug prints.  The priorSecret value should also be included in that for secrets.ldb database.
Comment 2 Andrew Bartlett 2021-07-25 22:37:03 UTC
Fixed in Samba 4.9 and later by:

commit 6a09162df6bd38098253b50a7ac32bfdc8dbf9d4
Author: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Date:   Tue May 1 11:10:40 2018 +1200

    ldb: removing prior secret from logs
    priorSecret, like secret, can contain a machine account password
    (for secrets.ldb) and so should not be printed in a debug
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13353
    Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>
    Reviewed-by: Garming Sam <garming@catalyst.net.nz>